Product

Changelog

New features, security updates, and bug fixes. Subscribe to our newsletter to get updates delivered to your inbox.

v2.5.0

major24 May 2026

New

•Quanta Copilot (AI agent) - 10 tools for vault, encryption, compliance, and proxy operations. Available on Professional+ plans.
•MCP Server v1.0 - 18 MCP tools for Claude Desktop, GPT-4o, and other AI agents. stdio + SSE transport.
•FIDO2/WebAuthn passkey authentication - register passkeys as primary login method.
•CSA STAR Level 1 self-assessment (CAIQ) - available to customers under NDA.
•Crypto Agility Engine - zero-downtime algorithm migration across all vault entries.
•ML Anomaly Detection - behavioural baselines per tenant; alerts on unusual API patterns.
•Managed File Transfer (MFT) - PQC-encrypted file transfer with S3 WORM delivery receipts.
•CMMC 2.0 control mapping document - available to US defence-sector customers.

Improved

•liboqs upgraded to 0.14.1 - latest NIST-finalised ML-KEM and ML-DSA implementations.
•Thread-safety fix: oqs.Signature instances now created in worker thread pool, eliminating async/sync boundary issues.
•Compliance engine expanded to 9 frameworks and 56 controls (added NIST SP 800-53 Rev 5).
•Audit log performance - hash chain verification now parallelised across CPU cores.
•Frontend React Query cache tuned: staleTime 30s, gcTime 5min, reducing redundant API calls by ~60%.

Security

•Fixed: AUD $500 liability cap fallback removed from Terms of Service - cap is now fees-paid only.
•Added: GDPR ePrivacy cookie consent banner with localStorage persistence.
•Added: RFC 9116 security.txt at /.well-known/security.txt.
•Timing normalisation middleware now covers the full ML-DSA-65 signature verification path.
•Anti-replay nonce TTL reduced from 5 minutes to 3 minutes for improved replay resistance.

v2.4.0

minor1 April 2026

New

•Salesforce Managed Package 2GP (namespace: quantaseal) - Apex proxy service, LWC field encryption, bulk encrypt batch job.
•PQC tokenization engine - PII → opaque tokens with format-preserving encryption.
•SIEM push integration - Splunk, Datadog, Elastic, and generic webhook.
•Data residency enforcement - ap-southeast-2 (Australia) and eu-central-1 (EU) regions.
•Go SDK v1.0 - context-aware, connection pooling, full domain coverage.

Improved

•Vault TTL enforcement - expired credentials now return 403 with no payload leak.
•Stripe billing meters - real-time usage tracking for encryption operations and proxy requests.
•Enterprise deal auto-provisioning - tenant created automatically on invoice.payment_succeeded webhook.

Fixed

•Fixed: structlog async method calls (logger.ainfo/awarning) replaced with synchronous equivalents.
•Fixed: KMSWrapper() instantiation now always requires tenant_id parameter.
•Fixed: ML-DSA-65 HMAC key derivation corrected to SHA-512 (was incorrectly using SHA-256 in one code path).

v2.3.0

minor1 March 2026

New

•HIPAA BAA programme - request at hipaa@quantaseal.io.
•GDPR Article 28 DPA - standard DPA with SCCs available at /legal/dpa.
•Sub-processor list published at /legal/sub-processors with change notification subscription.
•Export controls page - DSGL, EAR ECCN 5D002, CMMC 2.0 guidance at /legal/export-controls.
•Accessibility statement (WCAG 2.1 AA) at /legal/accessibility.

Improved

•40+ adapters now registered - added HubSpot, Dynamics 365, Zoho, Pipedrive, generic gRPC.
•Rate limiting jitter added to Retry-After header to defeat rate limit calibration attacks.
•Ciphertext bucket padding tightened - now 4 fixed sizes (256B, 1KB, 4KB, 16KB).

v2.2.0

minor1 February 2026

New

•White Label plan - AUD $999/mo, full white-label branding, custom domain.
•AWS Nitro Enclave support - RSA signing operations isolated from host memory.
•Compliance engine v2 - automated PDF report generation for 9 frameworks.
•RAG-based compliance evidence retrieval - LLM can query audit logs for evidence.

Security

•Mandatory PQC JWT claim rejection - tokens missing pqc_sig claim are hard-rejected.
•SSRF backstop added to proxy dispatch - catches cases where adapters omit their own check.
•Default-deny operation policy enforced on all integration adapters.

v2.1.0

minor5 January 2026

New

•Multi-Factor Authentication - TOTP (Google Authenticator, Authy) and WebAuthn.
•QuantaVault credential rotation - automatic rotation with configurable schedules.
•Immutable audit log hash chain - SHA3-256 + ML-DSA-65 signature per entry, S3 WORM storage.
•Incident response automation - pattern-based detection, automated revocation.

Improved

•RBAC expanded: viewer / editor / admin / owner roles.
•API key rotation - invalidate all API keys and issue new ones atomically.
•Database read replica support - read queries routed to replica for performance.

v2.0.0

major1 December 2025

New

•QuantaSeal 2.0 - complete rewrite on FastAPI + Next.js 15 + PostgreSQL 16.
•ML-KEM-768 + ML-DSA-65 + AES-256-GCM - first production PQC credential vault.
•Per-tenant AWS KMS CMK - dedicated key per customer, zero key sharing.
•Bidirectional API proxy - UniversalProxyEngine with Salesforce, SAP, Oracle adapters.
•Five-tier subscription model - Starter, Professional, Growth, Enterprise, White Label.
•Python SDK, Node.js SDK, CLI - full API coverage.

ML-KEM

DSA-65

QUANTASEAL

ML-KEM-768AES-256-GCMML-DSA-65

Initializing Quantum Vault

Product

Changelog

New features, security updates, and bug fixes. Subscribe to our newsletter to get updates delivered to your inbox.

v2.5.0

major24 May 2026

New

•Quanta Copilot (AI agent) - 10 tools for vault, encryption, compliance, and proxy operations. Available on Professional+ plans.
•MCP Server v1.0 - 18 MCP tools for Claude Desktop, GPT-4o, and other AI agents. stdio + SSE transport.
•FIDO2/WebAuthn passkey authentication - register passkeys as primary login method.
•CSA STAR Level 1 self-assessment (CAIQ) - available to customers under NDA.
•Crypto Agility Engine - zero-downtime algorithm migration across all vault entries.
•ML Anomaly Detection - behavioural baselines per tenant; alerts on unusual API patterns.
•Managed File Transfer (MFT) - PQC-encrypted file transfer with S3 WORM delivery receipts.
•CMMC 2.0 control mapping document - available to US defence-sector customers.

Improved

•liboqs upgraded to 0.14.1 - latest NIST-finalised ML-KEM and ML-DSA implementations.
•Thread-safety fix: oqs.Signature instances now created in worker thread pool, eliminating async/sync boundary issues.
•Compliance engine expanded to 9 frameworks and 56 controls (added NIST SP 800-53 Rev 5).
•Audit log performance - hash chain verification now parallelised across CPU cores.
•Frontend React Query cache tuned: staleTime 30s, gcTime 5min, reducing redundant API calls by ~60%.

Security

•Fixed: AUD $500 liability cap fallback removed from Terms of Service - cap is now fees-paid only.
•Added: GDPR ePrivacy cookie consent banner with localStorage persistence.
•Added: RFC 9116 security.txt at /.well-known/security.txt.
•Timing normalisation middleware now covers the full ML-DSA-65 signature verification path.
•Anti-replay nonce TTL reduced from 5 minutes to 3 minutes for improved replay resistance.

v2.4.0

minor1 April 2026

New

•Salesforce Managed Package 2GP (namespace: quantaseal) - Apex proxy service, LWC field encryption, bulk encrypt batch job.
•PQC tokenization engine - PII → opaque tokens with format-preserving encryption.
•SIEM push integration - Splunk, Datadog, Elastic, and generic webhook.
•Data residency enforcement - ap-southeast-2 (Australia) and eu-central-1 (EU) regions.
•Go SDK v1.0 - context-aware, connection pooling, full domain coverage.

Improved

•Vault TTL enforcement - expired credentials now return 403 with no payload leak.
•Stripe billing meters - real-time usage tracking for encryption operations and proxy requests.
•Enterprise deal auto-provisioning - tenant created automatically on invoice.payment_succeeded webhook.

Fixed

•Fixed: structlog async method calls (logger.ainfo/awarning) replaced with synchronous equivalents.
•Fixed: KMSWrapper() instantiation now always requires tenant_id parameter.
•Fixed: ML-DSA-65 HMAC key derivation corrected to SHA-512 (was incorrectly using SHA-256 in one code path).

v2.3.0

minor1 March 2026

New

•HIPAA BAA programme - request at hipaa@quantaseal.io.
•GDPR Article 28 DPA - standard DPA with SCCs available at /legal/dpa.
•Sub-processor list published at /legal/sub-processors with change notification subscription.
•Export controls page - DSGL, EAR ECCN 5D002, CMMC 2.0 guidance at /legal/export-controls.
•Accessibility statement (WCAG 2.1 AA) at /legal/accessibility.

Improved

•40+ adapters now registered - added HubSpot, Dynamics 365, Zoho, Pipedrive, generic gRPC.
•Rate limiting jitter added to Retry-After header to defeat rate limit calibration attacks.
•Ciphertext bucket padding tightened - now 4 fixed sizes (256B, 1KB, 4KB, 16KB).

v2.2.0

minor1 February 2026

New

•White Label plan - AUD $999/mo, full white-label branding, custom domain.
•AWS Nitro Enclave support - RSA signing operations isolated from host memory.
•Compliance engine v2 - automated PDF report generation for 9 frameworks.
•RAG-based compliance evidence retrieval - LLM can query audit logs for evidence.

Security

•Mandatory PQC JWT claim rejection - tokens missing pqc_sig claim are hard-rejected.
•SSRF backstop added to proxy dispatch - catches cases where adapters omit their own check.
•Default-deny operation policy enforced on all integration adapters.

v2.1.0

minor5 January 2026

New

•Multi-Factor Authentication - TOTP (Google Authenticator, Authy) and WebAuthn.
•QuantaVault credential rotation - automatic rotation with configurable schedules.
•Immutable audit log hash chain - SHA3-256 + ML-DSA-65 signature per entry, S3 WORM storage.
•Incident response automation - pattern-based detection, automated revocation.

Improved

•RBAC expanded: viewer / editor / admin / owner roles.
•API key rotation - invalidate all API keys and issue new ones atomically.
•Database read replica support - read queries routed to replica for performance.

v2.0.0

major1 December 2025

New

•QuantaSeal 2.0 - complete rewrite on FastAPI + Next.js 15 + PostgreSQL 16.
•ML-KEM-768 + ML-DSA-65 + AES-256-GCM - first production PQC credential vault.
•Per-tenant AWS KMS CMK - dedicated key per customer, zero key sharing.
•Bidirectional API proxy - UniversalProxyEngine with Salesforce, SAP, Oracle adapters.
•Five-tier subscription model - Starter, Professional, Growth, Enterprise, White Label.
•Python SDK, Node.js SDK, CLI - full API coverage.